The Central Texas IT Guy

Web Development Austin, SEO Austin, Austin Search Engine Marketing, Internet Marketing Austin, Web Design Austin, Roundrock Web Design, IT Support Central Texas, Social Media Central Texas

Tag: Malware Page 2 of 3

What Is CryptoWall Ransomware?

By

On November 23, 2020

In Security

A ransomware is a type of malware that encrypts user files on victim computer or network. The attacker then demands a ransom from the victim in exchange for the decryption key. CryptoWall is a family of such file-encrypting ransomware. It first appeared in early 2014 and has numerous variants including Cryptorbit, CryptoDefense, CryptoWall 2.0, and CryptoWall 3.0. The early variants used RSA public key for file encryption, however, the new versions use AES key for file encryption. The AES key is further encrypted using a public key. This makes it impossible to get the actual key needed to decrypt the files.

Mode Of Infection:

Traditionally, CryptoWall ransomware was distributed via exploit kits. But, now spam emails are also used to infect the victims. The spam email contains RAR attachment that includes a CHM file. When the victim opens the CHM file, it downloads ‘CryptoWall binary’ to the system and copies itself into the %temp% folder.

CHM file – Compiled HTML or CHM file is an interactive html file that is compressed inside a CHM container and may hold other files such as JavaScript, images, etc. inside it.

Execution:

  • The Cryptowall binary downloaded on the system is compressed or encoded. Useless instructions and anti-emulation tricks are deliberately inserted in the coding to break AV engine protection.
  • On execution, it launches a new instance of explorer.exe process.
  • In the next step, the ransomware injects its unpacked CrytoWall binary and executes the injected code.
  • The original process automatically exits itself after launching the injected explorer process.
  • The files are encrypted and the ransomware deletes the volume shadow files using ‘vssadmin.exe’ tool. This makes sure that the encrypted files may not be recovered.
  • The CryptoWall binary is copied to various locations such as %appdata%, %startup%, %rootdrive%, etc. The copies are added to the auto start key to help them stay persistent even after the infected system is rebooted.
  • A new svchost.exe process is launched with user privilege and malicious binary code is injected into it.
  • The ransomware connects to I2P proxies to find live command and control server.
  • The server replies with unique encryption key generated specifically for the target system. The key starts the file encryption thread and drops ransom notes in all directories.
  • Finally, it launches Internet Explorer to display ransom notes and the hollowed svchost process kills itself.

Protection:

  • Keep antivirus up-to-date
  • Back up the files
  • Apply windows update regularly
  • Avoid clicking random emails
  • Disable remote desktop connections
  • Block binaries running from %appdata% and %temp% paths

For more information on Cryptowall ransomware, contact Centex Technologies at (254) 213 – 4740.

 

Data Protection From Malicious VPN Apps

By

On April 25, 2020

In Security

Web users intend to use VPN services with an assumption that VPN keeps their web browsing and personal data safe. However, recent research has thrown light on some vulnerabilities found in common and popular VPN apps.

These vulnerabilities include:

  • Missing encryption of sensitive data.
  • Hard-coded cryptographic keys within the app; thus, even if the data is encrypted, hackers can decrypt it using these keys.
  • Some VPN apps have user privacy breaking bugs such as DNS leaks which expose user DNS queries to their ISPs.

These vulnerabilities of VPN apps allow hackers to intercept user communications including web browsing history, username, passwords, photos, videos, and messages. The privacy breaches include location tracking, access to device status information, use of the camera, microphone access and ability to send SMS secretly. Using these vulnerabilities, hackers can manipulate the users to connect to their malicious VPN servers.

In addition to these vulnerabilities, there are some other concerns associated with free VPN apps:

  • Some free VPN apps sell your bandwidth to paying customers allowing them to use your device’s processing power.
  • Malicious VPN apps incorporate ads that may include malware. These apps may also share the online activity of users to third party marketing professionals.

Some signs that your phone has been affected by malware are:

  • Phone becomes slow.
  • Higher loading time of app.
  • Battery drains faster than usual.
  • Large number of pop-up ads.
  • Unexplainable data usage.

As the number of data breaches is exceeding, it has become important to take necessary measures for safeguarding yourself against malicious VPN apps. Following are some measures that you should take:

  • Check if you have sufficient information about the app developer. Download the VPN apps provided by trusted app developers only.
  • Check the app reviews. You can also search for the app on the search engine to check if there is any controversial news about it.
  • Audit the apps on your phone to check if they were downloaded by you or not.
    Delete apps that you don’t use frequently.
  • Run a malware scan after downloading any app to ensure it is safe.

For more information on ways to protect your data from malicious VPN apps, contact Centex Technologies at (254) 213 – 4740.

Comprehensive Guide To Mobile Data Security

By

On February 27, 2020

In Security

PDF Version: Comprehensive-Guide-To-Mobile-Data-Security

Frequently Asked Questions About Malware Botnet

By

On February 28, 2019

In Security

A Malware-Bot is a type of malware that exercises control over the infected machine once the infection spreads through the system. It acts according to the instructions given by the master i.e. malware writer. Following are some most commonly asked questions about Malware Botnet:

  • What Actions Does A Malware Bot Perform?

A Malware Bot can perform numerous tasks such as-

  • Spying & tracking
  • Sending spams, hosting command servers, working as proxies & performing other malicious activities
  • Accessing corporate resources & hijacking
  • Stealing confidential information, documents, credentials, etc.
  • Bitcoin mining
  • Web browsing
  • Do All Malware Bots Perform The Same Actions?

The bot can perform all the above mentioned actions, however there are two types of malware actions that the Malware Bot does not perform, not because it is incapable to do so but because they make little business sense. Following are the two malware actions:

  • Actions Which Impend The Machine: A Malware Bot cannot work in a damaged environment. When the software environment is damaged the machine is usually reinstalled, thus removing the bot. So, Malware Bot does not usually perform an action that would restrain it from running on the machine.
  • Actions That Reveal The Infection: A bot does not want a user to know about its presence on their machine, which is why it operates stealthily. Thus, it does not resort to activities such as modifying browser setting, popping up dialogue box, etc.
  • How Are Botnets Investigated?

When the malware is launched, it reaches the malware researchers sooner or later. They capture it through various channels such as malware spam, honeypots, phishing sites, product reports, etc. Once captured, the malware researchers analyze it in a controlled environment to receive the updates.

  • How Is A Botnet Controlled?

It is controlled by a computer or a group of computers running a command & control server (C&C server). The server communicates & sends instructions to the Malware Bot in the format understood by it. The server then performs numerous functions such as instructing the bots to schedule or execute a task, keeping track of number & distribution of bots as well as updating the bots by replacing them with a new type of malware.

  • Why Do Botnets Emerge?

The main reason why the malware writers develop, deploy & maintain a botnet is to tap on financial gains.

  • How To Prevent A Malware Botnet?

After understanding the working of a malware botnet, let us know how to prevent it:

  • Update your operating system regularly.
  • Avoid downloading from P2P & file sharing networks.
  • Don’t click on suspicious attachments & links.
  • Install a good antivirus software.
  • Follow good surfing habits.

For more information, call Centex Technologies at (254) 213-4740.

What Is Crypto Mining Malware?

By

On July 16, 2018

In Security

Crypto mining malware is a software program that has been developed to steal away a computer’s resources without knowledge or permission of owner. The access is further used by cybercriminals for cryptocurrency mining.

According to Symantec’s latest annual security threat landscape report, cryptocurrency miners grew by 8500 percent in 2017.

Unlike other ransomware and phishing attacks, the main purpose of crypto jacking is to inject crypto mining malware into the system, create a nuisance and earn cryptocurrency. If the crypto mining software is injected on a system with critical and high- availability assets then the computational resources can become unusable for their primary business functions.

How To Detect It?

The mining malware runs in the background and so a common user does not realize what is happening. It generally seizes your computer’s Central Processing Unit (CPU) and Graphics Processing Unit (GPU). This will slow down other processes and bring them to a halt. Overheating, crashes, slow response time and unusual network activity i.e. connections to mining related websites and IP addresses are things you must take a note of.
Although following these simple steps can be of some help:

  • Set up a network monitoring solution.
  • Monitor your websites for crypto mining codes.
  • Make yourself aware about the recent crypto mining trends.

Types Of Miners

There are 3 main types of miners:

  • Browser Based Cryptocurrency Miners – They are JavaScript miners that perform their work in an internet browser. They consume the resources till the browser remains open on the website. Some website owners use these miners intentionally in place of running ads while sometimes they are injected into websites without the knowledge of the website owner.
  • Executables – Specifically designed for the purpose of crypto mining, they are Potentially Unwanted Application (PUA) executable files (.exe) placed on the computer.
  • Advanced Fileless Miners – The malware does the mining in a computer’s memory. It generally misuses system resources to do so.

How To Protect Yourself Against It?

  • You can use an extension that blocks the most JavaScript miners to protect yourself from the crypto mining malware.
  • Use a strong antivirus software to protect yourself from unsecure websites, viruses and malwares.
  • Update your operating system every now and then to protect yourself from vulnerabilities.
    Keep your web filtering tools up to date.

For more information on protection from Crypto Mining Malware, call Centex Technologies at (254) 213-4740.

© Copyright 2022 The Centex IT Guy. Developed by Centex Technologies
Entries (RSS) and Comments (RSS)